diff --git a/compose/rest/attachment.go b/compose/rest/attachment.go
index 85ec9c4576..f6883a9895 100644
--- a/compose/rest/attachment.go
+++ b/compose/rest/attachment.go
@@ -3,11 +3,12 @@ package rest
 import (
 	"context"
 	"fmt"
-	"github.com/cortezaproject/corteza-server/pkg/api"
 	"io"
 	"net/http"
 	"net/url"
 
+	"github.com/cortezaproject/corteza-server/pkg/api"
+
 	"github.com/cortezaproject/corteza-server/compose/rest/request"
 	"github.com/cortezaproject/corteza-server/compose/service"
 	"github.com/cortezaproject/corteza-server/compose/types"
@@ -142,6 +143,7 @@ func (ctrl Attachment) serve(ctx context.Context, namespaceID, attachmentID uint
 			w.Header().Add("Content-Disposition", "attachment; filename="+name)
 		} else {
 			w.Header().Add("Content-Disposition", "inline; filename="+name)
+			w.Header().Add("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
 		}
 
 		http.ServeContent(w, req, name, att.CreatedAt, fh)
diff --git a/system/rest/attachment.go b/system/rest/attachment.go
index 85fc9527c1..013d742054 100644
--- a/system/rest/attachment.go
+++ b/system/rest/attachment.go
@@ -129,6 +129,7 @@ func (ctrl Attachment) serve(ctx context.Context, attachmentID uint64, preview,
 			w.Header().Add("Content-Disposition", "attachment; filename="+name)
 		} else {
 			w.Header().Add("Content-Disposition", "inline; filename="+name)
+			w.Header().Add("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
 		}
 
 		http.ServeContent(w, req, name, att.CreatedAt, fh)